(November 12, 2012)
Security researchers have unearthed evidence that the malware infection
found on Israeli police computers is likely party of a yearlong
cyberespionage operation that targeted entities in Israel and
Palestinian territories. Last month, Israeli police took down its
computer network after discovering that it had been infected with a
remote access Trojan (RAT) known as Xtreme RAT. The malware was
delivered through an email that appeared to come from Israeli Defense
Forces chief of general staff Benny Gantz. The malware was accompanied
by a phony Microsoft certificate, which is what helped researchers at
Norwegian company, Norman ASA, determine other attacks conducted by the
same group because they used the same phony certificate. The bait
documents used in the attacks contained metadata that revealed the names
or aliases of some of those involved in their execution. The malware
used dynamic DNS providers to change the IP addresses of the control
networks. In the earlier attacks against Palestinian targets, most of
the addresses were traced to a network in Gaza; when the attackers
shifted their focus to Israel, the control servers shifted to the US.